The cybersecurity community is on high alert as the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) jointly issue an advisory on the growing threat posed by the Rhysida ransomware.
Operating under a ransomware-as-a-service (RaaS) model, Rhysida actors have exhibited a pattern of opportunistic attacks targeting organizations across diverse sectors, including education, manufacturing, information technology, and government. The ransom payments collected are shared between the group and its affiliates, creating a concerning trend in the cybersecurity landscape.
Rhysida ransomware Attack Tactics and Evolution
Rhysida, first detected in May 2023, employs a ransomware tactic known as double extortion. This involves demanding a ransom for decrypting victim data and threatening to publish exfiltrated data if payment is not made. The threat actors exploit external-facing remote services, such as virtual private networks and the Zerologon vulnerability (CVE-2020-1472), as well as phishing campaigns for initial access and persistence within a network. The group has been linked to Vice Society, sharing targeting patterns and utilizing tools like NTDSUtil and PortStarter, previously exclusive to the latter.
According to researchers, Rhysida claimed five victims in October 2023, positioning itself in the ransomware landscape alongside formidable counterparts like LockBit and NoEscape. Notably, the group’s switch from Vice Society to Rhysida has been tracked, with the transition observed in June 2023. The shift raises questions about the evolving strategies of ransomware operators in response to evolving cybersecurity defenses.
Recent research by Sophos sheds light on the interconnected nature of ransomware groups. Vice Society, which seemingly went dormant since July 2023, coincided with Rhysida’s emergence. The ever-changing landscape is further highlighted by the BlackCat ransomware gang, using Google ads to deliver Nitrogen malware. This dynamic approach underlines the continuous adaptation and innovation within the ransomware ecosystem.
The rise of Rhysida and its association with Vice Society underscores the urgency for organizations to bolster their cybersecurity measures. With the threat landscape constantly evolving, collaboration between security agencies and continuous vigilance within the cybersecurity community are imperative to thwart emerging ransomware threats. As the year unfolds, the dynamics of the ransomware landscape continue to shift, emphasizing the critical need for robust defenses against these ever-adapting cyber adversaries.